Security Framework

Ohio State’s Digital Security and Trust group developed the Information Risk Management Program, commonly referred to as the "Security Framework," to manage information security risk to Ohio State’s information systems and assets.

The Information Risk Management Program (IRMP) has produced a series of information security and risk management resources to assist organizations in understanding the program and in implementing strategies to manage information risk:

• Information Security and Privacy Standard (ISPS)
• Information Security Control Requirements (ISCR)
• Information Risk Management Framework (IRMF)
• Information Security Processes
• Cyber And Privacy Legal Review
• Framework Glossary
• Job Aids
• University-Approved Lists
   

Ohio State's IRMP has been developed with three broad goals:

1. Simplified design. Standards are often lengthy and complex. For example, NIST SP 800-53 has 20 control families and over 1,150 security controls. The OSU Security Framework defines 10 risk codes which are made up of 39 risk areas (grouped into seven business functions and three technical functions) and over 300 security controls.
    
2. Structured for business leaders, managers and IT professionals. Information security standards are generally written for IT or risk management professionals. The program has been written and organized for non-technical business managers with linkage to security controls, procedures and job aides for IT professionals. Risks are categorized into nine different business functions that cross most organizations:
   • management risk
   • legal risk
   • business (finance) risk
   • purchasing risk
   • human resources risk
   • facilities risk
   • information technology risk
   • privacy risk
   • industrial control systems risk
   • A tenth category is "institutional data risk", which is separated as this risk crosses all business functions.
      
3. Finally, the Information Risk Management Program is built on the premise that information security and information risk management is a university responsibility, not exclusively an IT responsibility.

Information Risk Management Process

As part of the Information Risk Management Program, OSU has implemented a three-step process for managing information risk:

1. The first step is to assess information risks. This step involves identifying and prioritizing risks to your business information resources (Internet hacking, stolen laptops, government regulations, etc.). Additionally, a risk treatment plan is created, which defines the information risks your business ranks as too high to tolerate.
2. The second step is to implement an information security program. The goal of this step is to reduce or eliminate the risks identified in the previous step. This is a very pragmatic way to implement information security: the focus is on business risks and not on the latest available technology.
3. The third step is to verify compliance, with both your information security program and with applicable laws and regulations. This step assures the business owners that information risks are being managed.
    

Using this three-step process, all Ohio State departments can make measurable improvements to their information security–with a corresponding measurable reduction of their information risks.

Last updated: December 17, 2021